From owner-freebsd-security  Wed Oct 25 23:37:48 2000
Delivered-To: freebsd-security@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP id 7631A37B479
	for <freebsd-security@freebsd.org>; Wed, 25 Oct 2000 23:37:45 -0700 (PDT)
Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Wed, 25 Oct 2000 23:36:05 -0700
Received: (from cjc@localhost)
	by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e9Q6bIh30185;
	Wed, 25 Oct 2000 23:37:18 -0700 (PDT)
	(envelope-from cjc)
Date: Wed, 25 Oct 2000 23:37:17 -0700
From: "Crist J . Clark" <cjclark@reflexnet.net>
To: Andrew Penniman <apenniman@adelphia.net>
Cc: Mike Hoskins <mike@adept.org>, freebsd-security@FreeBSD.ORG
Subject: Re: request for example rc.firewall script
Message-ID: <20001025233717.Y75251@149.211.6.64.reflexcom.com>
Reply-To: cjclark@alum.mit.edu
References: <Pine.BSF.4.21.0010250134510.47737-100000@snafu.adept.org> <002d01c03f06$18b2d260$29a63018@bur.adelphia.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <002d01c03f06$18b2d260$29a63018@bur.adelphia.net>; from apenniman@adelphia.net on Thu, Oct 26, 2000 at 12:34:57AM -0400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, Oct 26, 2000 at 12:34:57AM -0400, Andrew Penniman wrote:
> > On Tue, 24 Oct 2000, Crist J . Clark wrote:
> >
> > > > check-state
> > > > allow ip from a.b.c.d to any keep-state
> > > > allow ip from x.y.z.z/24 to any keep-state
> > > Eep! You've left yourself _very_ vulnerable to spoofing.
> >
> > From the internal net you mean?  If so, I agree.  Given I'm the only
> > person using my 'LAN', I've accepted that as a liveable risk.  ;)
> 
> The spoofing threat is external.  An evil bad person could spoof your
> external IP and have full access to your services by the first rule.  They
> could do the same by spoofing any of the x.y.z.z/24 addresses.
> 
> Why would your external IP be talking to the internal system?  I think I'd
> get rid of that rule completely.
> 
> To prevent spoofing on the x.y.z.z/24 network, add the following rule to
> prevent x.y.z.z/24 sourced traffic coming into the machine from the ouside
> world:
> 
>     deny ip from x.y.z.z/24 to any via xx0 in
> 
> where xx0 is your external interface.
> 
> No?

I think,

  allow ip from a.b.c.d to any keep-state out
  allow ip from x.y.z.z/24 to any keep-state in via yy0

Where yy0 is the internal interface, is better. Go for the explicit
pass, default deny.
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message